fix(profile): update ufw.

fix #537
2024-11-14 23:43:56 +01:00 · 2024-10-01 18:15:51 +01:00 · 2024-10-01 18:15:51 +01:00 · 7033a13bc2
commit 7033a13bc2
parent cee1e9a3f2
2 changed files with 13 additions and 3 deletions
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@ -16,10 +16,16 @@ profile ufw @{exec_path} {

    capability dac_read_search,
    capability net_admin,
+    capability net_raw,
+    capability sys_ptrace,

-    network netlink raw,
    network inet dgram,
+    network inet raw,
    network inet6 dgram,
+    network inet6 raw,
+    network netlink raw,
+
+    ptrace read,

    @{exec_path} mr,

@ -27,14 +33,16 @@ profile ufw @{exec_path} {
    @{bin}/cat ix,
    @{bin}/env r,
    @{bin}/python3.@{int} ix,
+    @{bin}/sysctl ix,
    @{bin}/xtables-legacy-multi ix,
    @{bin}/xtables-nft-multi ix,
    @{lib}/ufw/ufw-init ix,

-    /etc/default/ufw r,
+    /etc/default/ufw rw,
    /etc/ufw/ rw,
    /etc/ufw/** rwk,

+          @{run}/xtables.lock rwk,
    owner @{run}/ufw.lock rwk,

    owner @{tmp}/@{word8} rw,
@ -45,9 +53,10 @@ profile ufw @{exec_path} {
    @{PROC}/@{pid}/fd/ r,
    @{PROC}/@{pid}/net/ip_tables_names r,
    @{PROC}/@{pid}/stat r,
+    @{PROC}/sys/net/ipv{4,6}/** rw,
+    @{PROC}/sys/kernel/modprobe r,

    include if exists <local/ufw>
-
 }

 # vim:syntax=apparmor
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -382,6 +382,7 @@ tracker-writeback complain
 udev-dmi-memory-id complain
 udisksctl complain
 udisksd attach_disconnected,complain
+ufw complain
 update-grub complain
 update-secureboot-policy complain
 userdbctl complain